Threat Intelligence & MITRE ATT&CK
In one line: Threat intelligence is knowledge about adversaries — who attacks, and how — and MITRE ATT&CK is the field's shared catalog of attacker tactics and techniques, which together let a defender stop guessing and instead detect against real, known adversary behavior, measure their coverage as a map, and prioritize the detections that matter for their actual threats.
So far you've built the machinery to detect attackers — but which attacks should you detect first? You can't detect everything, so you need to know what real adversaries actually do. Threat intelligence is that knowledge: information about attacker groups, their motivations, and their methods, gathered from incidents, research, and shared feeds. And MITRE ATT&CK is the breakthrough that organized it — a giant, free, community-maintained matrix that catalogs the techniques attackers use, grouped by their goals. Instead of every defender independently guessing what to watch for, ATT&CK gives the whole industry a shared language and map of adversary behavior. Its superpower for a blue team: you can lay your detections over the matrix and literally see which attacker techniques you'd catch and which you'd miss — turning "are we secure?" (unanswerable) into "here's our coverage and here are the gaps" (actionable). This lesson ties the whole chapter together.
Threat intelligence: knowing your adversary
Threat intelligence (CTI) is processed knowledge about threats — turning raw data about attacks into something that informs defense. It's conventionally split into levels by who uses it and for what:
- Strategic — high-level, for leadership: which adversaries target our industry, their motivations (crime, espionage, hacktivism), and broad trends. Drives risk decisions and budget.
- Operational — about specific campaigns and adversary behavior: what a given group is doing right now, their TTPs. Drives what to hunt and detect.
- Tactical — concrete, machine-consumable indicators (IOCs: malicious IPs, hashes, domains) fed into the SIEM for matching.
A recurring beginner mistake is equating threat intel with just the tactical IOC feeds. Those are the lowest-value layer (recall the Pyramid of Pain — IOCs are trivially changed). The durable value is operational intel about adversary behavior — which is exactly what ATT&CK structures.
- Threat intelligence (CTI) — evidence-based knowledge about adversaries and their methods, used to inform defense.
- APT (Advanced Persistent Threat) — a well-resourced, persistent adversary (often nation-state), tracked as a named group.
- MITRE ATT&CK — a free, globally-used knowledge base of adversary tactics (goals) and techniques (methods), based on real-world observation.
- Tactic — why an attacker does something — the goal of a step (e.g., Initial Access, Persistence, Lateral Movement, Exfiltration). The matrix columns.
- Technique / sub-technique — how they achieve a tactic (e.g., "Phishing" for Initial Access). The matrix cells.
- Coverage mapping (heat map) — overlaying your detections onto the ATT&CK matrix to visualize what you can and can't detect.
- Threat-informed defense — prioritizing defenses based on the techniques your actual adversaries use, rather than trying to cover everything equally.
MITRE ATT&CK: the shared map of attacker behavior
ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a matrix. The columns are tactics — the attacker's goals, in roughly the order of an intrusion — and within each column are the techniques that achieve that goal:
TACTICS (goals) → Initial Execution Persistence Priv. Lateral Exfiltration
Access Escalation Movement
TECHNIQUES │ Phishing Command Scheduled Exploit Remote Exfil over
(methods) │ Exploit scripting task misconfig services C2 channel
│ Valid ... New account ... Pass reused ...
│ accounts ... creds
Notice this is the offensive chapter's lifecycle and the post-exploitation journey, formalized: initial access → execution → persistence → privilege escalation → lateral movement → exfiltration. ATT&CK is, in effect, the attacker's playbook written down so defenders can prepare for each move.
Why it changed the field:
- Shared language. "We detected T1566 (Phishing) leading to T1078 (Valid Accounts)" means the same thing to every defender, vendor, and report worldwide. No more everyone inventing their own terms.
- Based on reality. Techniques come from observed real-world attacks, not theory — so detecting them targets what adversaries actually do.
- Maps offense to defense. Each technique links to how to detect and mitigate it, turning "attacker behavior" directly into "what to log and what rule to write."
Coverage mapping: turning "are we secure?" into a map
The killer application for a blue team. You overlay your detections onto the ATT&CK matrix to produce a coverage heat map — green where you'd detect a technique, red where you're blind.
A security lead is asked "can we detect a ransomware crew?" Without ATT&CK, this is unanswerable hand-waving. With it:
- Pick the adversary's techniques. Threat intel says this ransomware group uses phishing (Initial Access), credential dumping (Credential Access), reused credentials for lateral movement, and disabling backups before encryption.
- Map your detections onto those techniques. You find: phishing — covered; credential dumping — covered (behavioral detection); lateral movement via reused creds — gap; backup tampering — gap.
- Prioritize the gaps. Now the work is concrete and ranked: build detections for lateral movement and backup tampering, because those are how this specific adversary would slip past you.
The vague dread of "are we secure?" became a specific, prioritized backlog tied to a real adversary. That conversion — from anxiety to an action plan grounded in real attacker behavior — is what ATT&CK gives a defender, and it's why it's the organizing framework of modern detection.
This is threat-informed defense: rather than spreading effort evenly (or by gut feel), you prioritize the techniques your likely adversaries actually use. It connects every chapter — intel says who and how, ATT&CK structures it, detection engineering builds the coverage, the SOC acts on it, and red teams test it by emulating specific techniques to validate your map is real.
How it ties the chapter together
ATT&CK is the connective tissue of detection:
- It tells you what telemetry to collect (logging) — each technique has data sources that reveal it.
- It structures what detections to write (detection engineering) — one per high-priority technique, at the behavior level.
- It lets the SOC and leadership see coverage and gaps as a map instead of a feeling.
- It gives red and blue a shared scorecard — red emulates techniques, blue checks whether each was detected, and the heat map updates.
The deepest value of ATT&CK is epistemological: it replaces guessing about security with measuring it against real adversary behavior. "Are we secure?" has no answer. "Which of the techniques our adversaries use can we detect, and where are the gaps?" has a concrete, improvable answer — a map you can color in over time. Defenders who adopt this stop chasing the scary headline of the week and start systematically closing the gaps that matter for their threats. That shift — from anxiety-driven to threat-informed — is the mark of a mature detection program.
Why it matters
- It makes detection prioritization rational. You can't detect everything; ATT&CK + threat intel tell you which techniques to cover first, based on real adversaries — the antidote to chasing every headline.
- It's the industry's shared language. ATT&CK technique IDs appear in vendor products, threat reports, job descriptions, and incident write-ups. Fluency in it is table stakes for a modern defender.
- It unifies the whole security program. Offense (techniques to emulate), detection (coverage to build), the SOC (alerts to act on), and leadership (risk to communicate) all speak ATT&CK — turning disconnected efforts into one measurable, threat-informed system.
Common pitfalls
- Equating threat intel with IOC feeds. Tactical indicators (IPs, hashes) are the lowest-value, most-perishable layer. The durable value is operational intel about adversary behavior (TTPs), which ATT&CK structures.
- Treating ATT&CK as a checklist to 100%. You can't and shouldn't detect every technique equally. Use threat intel to prioritize the techniques your adversaries actually use (threat-informed defense).
- Mapping coverage once and stopping. A heat map is a living tool — adversaries evolve, your environment changes, and detections decay. Re-map and re-test (via red teaming) continually.
- Confusing 'have a detection' with 'it works.' A green cell you never validated may be a false sense of security. Test detections (emulate the technique) before trusting the map.
- Ignoring the gaps you don't like. The valuable cells are often the hard ones (lateral movement, living-off-the-land). Prioritizing only easy techniques leaves the gaps adversaries actually use.
Page checkpoint
Did threat intel & ATT&CK click?
Pass to unlock the Next button belowWhat's next
→ Take the Chapter 6 checkpoint to lock in the blue-team toolkit, then continue to Chapter 7: Incident Response & Forensics — what happens after the SOC escalates a confirmed incident: containing, investigating, and recovering from a breach.
→ Going deeper: the techniques ATT&CK catalogs are performed in Penetration Testing; the detections it structures are built in detection engineering; red-team emulation of ATT&CK techniques validates your coverage map.